The first salvo on NANOG this morning in response to the launch of OpenDNS was a predictable lambasting along the lines of "here comes SiteFinder II".

Fortunately the follow-ups were quick to point out that OpenDNS was a far cry from SiteFinder for the obvious reason that people have the choice to use it, nobody had a choice with SiteFinder.

OpenDNS adds an extra feature set to recursive DNS.

Sitefinder added a wildcard DNS entry to the TLD namespace that wasn't there beforehand.

OpenDNS has a value proposition based on security, while the Wired article concentrated on fixing typos, which it attempts to do, the real magic here can come from it's use in phishing mitigation.

Also some not so good news for typosquatters here, as OpenDNS can make all those parked typo domains invisible to its users. Somebody had to put the first nail into the "direct navigation" coffin, here it is.

The important issue is how they will deal with the responsibility of possibly becoming a choke point or center of gravity on the internet. Posit, for argument's sake, that OpenDNS surpasses critical mass and at some point in the future, a significant portion of net users get their DNS recursion via OpenDNS (whether they know it or not).

OpenDNS will have the power to censor domains or classes of domains (the ability to mitigate phishing, some nut may argue, is already a form a censorship. A typosquatter somewhere surely will make that assertion); the ability to collate and disseminate query stats (the "overture count" already being a key benchmark among domainers, OpenDNS could go on to provide NXDOMAIN and other data); they could conceivably put alternative root structures over-the-top.

All of which are heavy responsibilities.

By Mark Jeftovic, Co-Founder, easyDNS Technlogies Inc.. More blog posts from Mark Jeftovic can also be read here.

Comments

The issues you bring up are critically important and nothing I take lightly. I think we'll find the answers become more clear as we navigate forward and begin to discern what users want and what operators feel comfortable with.

I think we've made a good start in opening the discussion of creating intelligent resolvers. People manage their networks in so many ways that this seemed an inevitable direction.

The startup hopes to make money when users type in a nonexistent domain name, such as schwinnbicyclepumps.com.

Currently, web surfers simple get an error message when they attempt to navigate to an unused domain. OpenDNS users will instead be routed to a company server that will present a list of search engine results and paid advertisements.

As long as legitimate answers aren't being altered, there's no correlation that I can see. NXDOMAIN is a legitimate answer, but in the case of the service, it's the answer that is fair game. It's up front, forward, and not built into the infrastructure. and as remarked in the service the option is to not use it. I like the security approach as a method of attracting users, and the typo squat fix to generate revenue. Very interesting. This is not Kashpureff or a wildcard. I support it.

We just noticed the wired article linked to a domain that wasn't registered and rather than have someone else register it and make it a porn site we did the right thing. And now it still shows a host not found if you aren't using OpenDNS and if you are, you get some cool results for bike pumps.

That's a neat idea. Are you planning to make some sort of a differential resolution mechanism available to other domain registrants? What you could do is to forward schwinnbicyclepumps.com to schwinn.com in "vanilla" dns, and forward to your parking page in OpenDNS and, hey, Schwinn will never know you are monetizing their trademark unless they use an OpenDNS ISP.

One thing I remain curious about is the anti-phishing feature. Since a good deal of phishing emails utilize hyperlinks directly to an IP address rather than a domain name, presumably widespread deployment of OpenDNS would increase the proportion of phishers using IP address-based URLs. It would seem more effective for an ISP to use a real-time HTTP blacklist of IP addresses, as is done with SMTP blacklists, than to use a resolver which blacklists on the basis of domain names. Why would an ISP adopt a partial solution which is readily routed around instead of a more complete one?

I agree with what seems to be the majority opinion on NANOG: the existence of user choice decidedly means that this is not Sitefinder II.

However, as an "internet architecture dork/purist", i do see the potential for trouble in moving away from a single global view of what is "True" in DNS. Other than a difference in intent, correcting typos doesn't seem all that far from what some "alternate root" servers do by adding new TLDs like .porn, etc. Given the great work David, et al. did with everydns.net, I am optimistic that OpenDNS won't go to the "dark side". As long as adds are clearly labeled, i think that seems like a legit way of paying for the servers/bandwidth.

On another note, the security benefits to the "average" computer user seem at least plausible (I for one have seen plenty of phishing sites using DNS), as long as users understand that they are in no way completely protected from phishing.

Overall, I welcome the introduction of a little competition to the DNS market… sounds like fun :)

p.s. David, any long-term plans to verify DNSSEC information? Is anybody running it with BIND9? I know there aren't TLD keys out there for much for much now, but it seems like an alternate DNS service *might* be able to help solve the chicken & egg problem.

Sit tight today and check out some announcements we're about to make that should make things even more clear (literally) about how our service operates.

As for DNSSEC, I'd love to see what we can do. From what I remember at the Cisco hosted DNS Operations meeting a few weeks back, with the new DLV stuff it seems like we can, at the very least, verify zones. We haven't written the code to do this yet though. Haven't even looked at it. Securing the DNS happens in all kinds of levels and DNSSEC is definitely one of them.

Mark, it's a few months later and some support of what OpenDNS is doing. I had little issue with the original, simple model, but with the recent obfuscation of wildcards from ccTLD registries, I think that they've treaded into extremely nefarious waters.

Is this simply a war of the redirectors, where if one doesn't agree with the business practice of another, that each can simply over-ride the other?

The registry of the .CM ccTLD returns the "official" answers of that ccTLD. By obfuscating them in a middle laywer without proper policy considerations, I think this is not in the spirit of how the communities work.

I can't say I fully disagree that this is interesting waters we are walking down. I feel strongly that users are the ultimate arbiter of what is the right thing to do. That is why we made a specific choice to make this NOT to make it a default and we implemented based on user demand. I think ICANN made a mistake in not commenting on this practice.

Moreover, OpenDNS isn't just about this issue. When was the last time your current DNS provider added any new functionality? Most likely 15 years ago. Once you become an OpenDNS user you get the fastest, most reliable and secure DNS service available that gives you the greatest control and you ALSO get all of the new innovation we will be delivering, for free.

"I can’t say I fully disagree that this is interesting waters we are walking down. I feel strongly that users are the ultimate arbiter of what is the right thing to do. That is why we made a specific choice to make this NOT to make it a default and we implemented based on user demand. I think ICANN made a mistake in not commenting on this practice."

This is a feature similiar to the one that ISC was sued over. It too was "off" by default. You are likely to not get sued by a non network providing company, but the you are likely to have some exposure to network operators.

Your comments regarding ICANN are fairly uninteresting. It's fair to say that ICANN is involved in the ccTLD realm both rather extensively lately. You can observe this by monitoring their press releases and such related to framework agreements and exchanges of letters and other activities in the ccNSO.

In a nutshell, OpenDNS inserts itself between the provider and the infrastructure. It modifies provider critical settings, assists users in violating operational security policy that in most cases is for the good of the Internet, and allows revenue to be generated following the Site Finder model with some cosmetic tweaks.

The knobs to over-ride legitimately recognized ccTLD operators outside the edge of an agreement with the end user which in their case is the terms of service of the provider and not a usage agreement with OpenDNS - I doubt that you can over-ride the TOS of the provider, OpenDNS becomes a poster child for the pro argument of net neutrality.

I'd be up for proposing to switch my users to opendns if I had some assurances about what I was switching them to. http://www.opendns.com/terms/ doesn't give me any, and doesn't give me the warm fuzzy feeling. There's no date on them, and no notification of changes. There's no indication that users will be notified ahead of time of changes at all. That's a product I couldn't possibly propose switching my users to, even though I like the current feature set, especially for the M$ users. The only plus is the CC
Also, can I expect openDNS to be as reliable as the DNS? Can I expect it to respect TTL's? Not do stupid things like failing to resolve a domain if one of the domain's NS is not working? (Earthlink's resolvers were doing that for a friend's domain (not a customer), I realized later that perhaps this was because the non-working NS was not just not responding, but rather was responding, but in a way that didn't cause queries to go to the other NS, i.e. saying the domain authoritatively didn't exist.)

Example: What's to stop opendns from making a bit of extra dough by sending 1% of, say google.com lookups to theirsearchsite.dom and monetizing the traffic (and probably causing lots of unexpectged ugly side effects despite efforts not to). Saying their reputation will suffer just doesn't do it for me.

Example: What’s to stop opendns from making a bit of extra dough by sending 1% of, say google.com lookups to theirsearchsite.dom and monetizing the traffic (and probably causing lots of unexpectged ugly side effects despite efforts not to). Saying their reputation will suffer just doesn’t do it for me.

I think doing something like this would go far beyond damaging their reputation, it would classify them as malware and probably wreck the company in short order. A company would probably be exposing themselves to some legal action as well.

A first line of defense against anybody doing it could be for authoritative DNS providers to block queries from any resolvers known to be shaving lookups in this manner. (Nothing stopping root TLD operators from following suit or setting an example either.)

That said, I don't see openDNS taking this route under any circumstance.

Mark, I think my point still stands: OpenDNS isn't making any commitments to do the right thing or anything at all, and there's a lot they could potentially get away with.

Let me clarify my constructive criticism: I would like to recommend OpenDNS to my clients and see it become popular; if OpenDNS would commit to making a best effort to announce all feature set changes, say a month in advance, on a web page and/or mailing list and/or RSS feed dedicated solely to that purpose. Maybe OpenDNS could commit to making available the current feature set, at no charge, as long as it is offering DNS services. It can't be expected to make commitments that involve anticipating all future features, but that doesn't mean that it can't be expected to make any service commitments in its agreement. There's nothing but a little lawyering keeping OpenDNS from implementing the changes I'm suggesting, and they'd make me comfortable using and recommending them. And I think they'd speed OpenDNS's growth.

(Recognize, there are lots of companies that do very harmful and criminal things on a regular basis, and they don't get wrecked.
These ISPs are flourishing while knowingly harboring spammers and phishers; I regularly find SBC/AT&T defrauding my clients by overbilling as well.)
Microsoft is doing fine. VeriSign is doing fine. Even Arthur Andersen didn't die; it underwent metamorphosis.)

Sure, right now, there's not much that OpenDNS could get away with. But I'm not talking about right now. I'm talking about what they could get away with if/when they became dominant.

Points well taken. I know we can't announce features a month before we launch them because we move really fast and that's just not strategically wise.

One really important perspective to keep in mind, if we do something to annoy or upset you, you can just stop using us; just like you can stop using google.

With that said, I understand many of your concerns and I want to see what I can do to answer or allay them. Would you be happy with diff's of our privacy policy and terms of service if and when we make changes? We have an RSS feed of our system status page at http://system.opendns.com/ — We could make sure to put feature launches and other changes in that feed and not just operational related posts.